Description
The Mailchimp module provides tools for creating and managing MailChimp email campaigns with Drupal content. It includes an autocomplete endpoint at `admin/config/services/mailchimp/campaigns/entities` used to search and select site entities (e.g., nodes) when composing campaign content.
The endpoint was registered with `'access callback' => TRUE`, bypassing all access control and making it publicly accessible to unauthenticated users. A visitor could query this endpoint with arbitrary strings to search entity titles across the site and retrieve matching entity titles and IDs.
This vulnerability is mitigated by the fact that the module is relatively uncommon and the endpoint only returns entity titles and numeric IDs, not body content or other sensitive fields.
Solution
Install the latest version.
If you use the Mailchimp module for Drupal 7, upgrade to mailchimp 7.x-5.8:
Reported by
Fixed by
- Tag1 D7ES
Coordinated by
- Tag1 D7ES
- Ben Di Maggio (bdimaggio)